“Reduce, reuse, recycle” is the mantra of the green movement. In fact, that slogan is itself really just a recycling, as it were, of the old adage “waste not, want not.” It makes sense: Reducing waste, reusing items or recycling things that are no longer useful in their current form conserves both natural resources — which don’t have to be harvested or mined — and limited landfill space.

But are there things for which this thrifty mindset doesn’t work? Yes — passwords.

While reducing, reusing and recycling passwords across multiple sites makes them a lot easier to keep up with, it also makes accounts a lot easier to hack. In fact, it reduces your overall security to the level of the most insecure system the password is used on, since a breach on one site effectively rends all the others using the same credentials vulnerable as well.

This means that if an attacker steals your password for a site on which you have no sensitive information stored and, as a result, security was an afterthought both for you and the site administrators, that attacker also has the key to potentially unlock all the other sites you use, including the ones where your most valuable data is stored. If that data happens to be credit card numbers, identity information or corporate secrets, things could get very bad in a hurry.

The Danger Is Real

Apparently, the breach resulted from — you guessed it — reuse of passwords across multiple sites. Apple responded by advising affected users to “change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services.”

This is good advice even if you haven’t been hacked. In fact, it’s even better advice to use before you are hacked to prevent damage in the first place.

Lock Down Passwords with SSO

So how can you maintain passwords that are:

  • Unique for each system;
  • Hard to guess (which usually makes them hard to remember); and
  • Changed frequently?

Either develop a superpower to remember random details or use a single sign-on (SSO) tool to manage all the minutiae. Since the latter is easier to acquire than the former, I’d opt for that alternative. The SSO tool can reduce the password problem to a manageable size by giving you a single master key to unlock the vault of unique passwords it has generated for you for each site and not reuse or recycle existing credentials. This approach contains the damage of a breach on one system to only that system and prevents the sort of cascading failure that presumably was at the source of all the locked iPhones.

If you’re concerned that the SSO tool could be hacked, then use two-factor authentication to lock it down so that an attacker would have to not only steal your master password, but also your security token, mobile phone or fingerprint as well. While not impossible, it certainly makes things more difficult for the bad guys, and that’s the goal.

Also, don’t overlook the fact that this may be the only security enhancement you will ever implement that will actually improve the accessibility and usability of your system, since the SSO tool will not only manage all your unique, random, constantly changing passwords, it will actually type them in for you automatically so typos during log-on become a thing of the past.

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…